Managing access to media accounts

ABSTRACT

In some implementations, a computing system can manage access to media sources associated with a user&#39;s media account. For example, the system can coordinate access to a user&#39;s media account between local and network devices such that when access to the user&#39;s media account is granted to an application on a user device, the application can access both local and network media sources associated with the user&#39;s media account. Similarly, when access to the user&#39;s media account is revoked from an application at a user device or at a network device, the application is prevented from accessing both local and network media sources associated with the user&#39;s media account.

RELATED APPLICATION

This application claims priority to U.S. Provisional Application No.62/448,505, filed on Jan. 20, 2017, the content of which is incorporatedherein by reference in its entirety.

TECHNICAL FIELD

The disclosure generally relates to managing access to local and networkmedia sources.

BACKGROUND

Users of computing devices, such as smartphones, tablet computers,wearable devices, and the like, often use these computing devices tomanage and/or access media from a variety of media sources. For example,a user may have a local media library on the computing device from whichthe user can playback music, videos, movies, and other media items. Insome cases, the user may also have a subscription to an online mediaservice. The user can use the computing device to access media itemsfrom the online media service, for example. In some instances, theonline media service and the user's local media library can be tied tothe same user account and/or online media service.

Some computing device may include applications that are configured tointeract with the user's local media library and/or online media serviceaccount. For example, a third party software application installed onthe computing device may make media item recommendations based on themedia items in the user's local media library and/or media items thatthe user has recently played through the online media service. Thus, asystem is needed that allows the user to quickly and easily manageaccess to both local and online media sources.

SUMMARY

In some implementations, a computing system can manage access to mediasources associated with a user's media account. For example, a user canprovide input to a user device granting an application on the userdevice access to both a local media library and a network media serviceassociated with the user's media account. The user device can request anaccess token for accessing the user's media account with the networkmedia service and the user device can provide the access token to theapplication.

In some implementations, a user can provide input to the user device torevoke the application's access to the user's media account. In responseto receiving the input, the user device can prevent the application fromaccessing the local media library and send a message to the networkmedia service to invalidate the access token associated with theapplication on the user device. Thus, the application will no longer beable to access the local media library and the user's media account withthe network media service.

In some implementations, the user can provide input to an accountadministration interface of the network media service to revoke anapplication's access to the user's media account with the network mediaservice. In response to receiving the input, the network media servicecan invalidate the access tokens previously generated for instances ofthe application on each user device and send a message to each userdevice indicating that the application is no longer authorized to accessthe local media library on the device. Upon receiving the message, thereceiving user device can change the settings of the user device toprevent the application from accessing the local media library on theuser device. Thus, the application will no longer be able to access thelocal media library and the user's media account with the network mediaservice.

Particular implementations provide at least the following advantages. Auser need only provide a single user input to disable an application'saccess to both local and network media sources associated with theuser's media account. Because access is controlled on an per devicebasis, the user has greater control over which applications can accessdata on which user devices. By granting and revoking access at both alocal device level and a network service level, an application's accessto a user's media account can be made more consistent between local andnetwork media services.

Details of one or more implementations are set forth in the accompanyingdrawings and the description below. Other features, aspects, andpotential advantages will be apparent from the description and drawings,and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of an example system for managing access to auser's media account at a user device.

FIG. 2 illustrates an example graphical user interface for managingaccess to a user's media account.

FIG. 3 is a block diagram of an example system for revoking anapplication's access to the user's media account at a user device.

FIG. 4A illustrates an example graphical user interface for revoking anapplication's access to a network media service from all user devices.

FIG. 4B illustrates an example graphical user interface for revoking anapplication's access to a network media service from a specific userdevice.

FIG. 5 is a block diagram of an example system for revoking anapplication's access to a user's media account from a network mediaservice.

FIG. 6 is flow diagram of an example process for enabling an applicationto access a user's media account from a user device.

FIG. 7 is an example process for revoking an application's access to theuser's media account from a user device.

FIG. 8 is an example process for revoking an application's access to theuser's media account from a network media service.

FIG. 9 is a block diagram of an exemplary system architectureimplementing the features and processes of FIGS. 1-8 .

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of an example system 100 for managing accessto a user's media account at a user device. For example, system 100 canenable (e.g., grant) and/or disable (e.g., revoke) an application'saccess to a user's media account, including the user's local medialibrary and the user's account with a network media service, based onuser input received at a local device (e.g., user device 110) and/oruser input received at a remote device (e.g., server device 140). System100 can manage the application's access to the user's media account suchthat the application's access to the local media library and theapplication's access to the user's account with the network mediaservice is consistent between local and remote devices.

In some implementations, system 100 can include user device 110. Forexample, user device 110 can be a computing device, such as a desktopcomputer, laptop computer, smartphone, tablet computer, and the like.User device 110 can be a wearable device, such as a smart watch, smartglasses, and similar devices. User device 110 can be operated by asingle user. User device 110 can be operated by multiple users who havedifferent accounts on user device 110.

In some implementations, user device 110 can include operating system112. For example, operating system 112 can be a software system thatcontrols basic and/or core functionality of user device 110. Operatingsystem 112 can control communication interfaces, core softwareframeworks, core system functions, etc., of user device 110. Forexample, applications running on user device may interact withapplication programming interfaces (APIs) of operating system 112 tocommunicate with other devices and/or access local data on user device110, such as local media library 116.

In some implementations, user device 110 can include settings 114. Forexample, settings 114 can be settings managed by operating system 112that define how various aspects of operating system 112 and/or userdevice 110 should work. For example, settings 114 can include privacysettings that define which applications on user device 110 can access auser's media account (e.g., local media library 116 and/or the user'saccount with network media service 142). A user can interact with aprivacy settings graphical user interface (GUI) presented by operatingsystem 112 to enable and/or disable an application's access to theuser's media account on user device 110 and server device 140.

In some implementations, user device 110 can include local media library116. For example, local media library 116 can be a repository (e.g.,database) of media items stored locally on user device 110. Local medialibrary 116 can include digital media items such as music, movies, talkshows, electronic books, etc., associated with the user's media account.For example, the user may have a media account with an online mediavendor through which the user purchases, rents, or streams media items.The media account can be a subscription account through which the usercan be provided access by the online media vendor to music, movies,television shows, and/or other media items such as electronic books,radio talk shows, etc. The media items in local media library 116 caninclude media items purchased, rented, temporarily downloaded throughthe user's subscription, and/or streamed from the online media vendor.The media items in local media library 116 can include media itemsobtained from physical storage devices (e.g., compact discs, DVDs, orother recording media) purchased from physical brick and mortar mediamerchants.

In some implementations, user device 110 can include application 118.For example, application 118 can be an application that is configured touse media data obtained through the user's media account (e.g., localmedia library 116 and/or the user's account with network media service142) to provide some service to the user. Application 118 can be anapplication created by the vendor of user device 110. Application 118can be an application created by a third party vendor.

To enable access to the user's media account, application 118 can invokea media access request API of operating system 112 to request access tothe user's media account. When the API is invoked, operating system 112can present a prompt on a display of user device 110 prompting the userto provide input (e.g., select a confirmation button) allowingapplication 118 access to the user's media account. When the userprovides input allowing (e.g., granting) application 118 access to theuser's media account, operating system 112 can modify settings 114(e.g., privacy settings) to indicate that application 118 is allowed toaccess the user's media account. For example, the operating system 112can store data in settings 114 that maps an application identifier forapplication 118 to the corresponding media access setting (e.g., mediaaccess allowed/granted). After the data in settings 114 is modified toallow application 118 access to the user's media account, application118 can use APIs of operating system 112 to access local media library116. For example, operating system 112 can control access (e.g., allowor deny access) to local media library 116 based on the privacy and/ormedia access settings in settings 114.

In addition to modifying settings 114 to allow access to local medialibrary 116, operating system 112 can enable access to a network mediaservice associated with the user's media account. For example, operatingsystem 112 can send token request 120 to network media service 142 onserver device 140 through network 130 (e.g., the Internet, LAN, WAN,etc.) to obtain a token that will allow application 118 to access theuser's account with network media service 142.

In some implementations, system 100 can include server device 140. Forexample, server device 140 can be a computing device that operates toprovide network media service 142. Network media service 142 can be, forexample, a streaming media service that provides users who haveregistered user accounts with network media service 142 access to mediaitems, such as music, movies, audio books, talk shows, etc. For example,the user of user device 110 can use user device 110 to access networkmedia service 142. Network media service 142 can stream media itemsselected by the user to user device 110 and user device 110 can presentthe media items to the user. In some implementations, network mediaservice 142 may collect data that describes the user's media consumptionhabits.

Applications on user device 110 (e.g., application 118) may obtain thedata collected by network media service 142 to provide additionalfeatures, services, or functionality to the user of user device 110 whenaccess to the user's account with network media service 142 is grantedto the applications by the user of user device 110. Thus, when networkmedia service 142 receives token request 120 from user device 110,network media service 142 can generate an access token that application118 can use to access the user's account with network media service 142.

In some implementations, network media service 142 can receive tokenrequest 120. For example, token request 120 can include an applicationidentifier for application 118, a user identifier for the user of userdevice 110, a user device account identifier corresponding to the userlogin for user device 110 (e.g., when user device 110 is a multiuserdevice), and/or a device identifier for user device 110. In response toreceiving token request 120, network media service 142 can generate atoken (e.g., access token) that allows application 118 to access theuser's account at network media service 142. Each token generated bynetwork media service 142 can be application, user, and device specific.Thus, even though multiple devices owned by the same user include aninstance of application 118, network media service 142 can generate adifferent access token for each instance of application 118 on thedifferent user devices. When a user device is a multiuser device,network media service 142 can generate a different access token for eachuser (e.g., each user account or login on a device) who uses aparticular application instance on a particular device. Network mediaservice 142 can store the generated access token in token database 144in association with the application identifier, user identifier, userdevice account identifier, an issuance timestamp indicating the dateand/or time when the token was generated and/or issued to theapplication associated with the application identifier, a revocationtimestamp indicating the date and/or time when the token was revoked (ifthe token was revoked), and/or device identifier received in tokenrequest 120. Network media service 142 can send the access token (e.g.,token 150) to operating system 112 on user device 110.

In some implementations, operating system 112 can receive token 150 fromnetwork media service 142. For example, when operating system 112receives token 150 from network media service 142, operating system 112can store token 150 in association with the application identifier forapplication 118 in token repository 122. Application 118 can obtaintoken 150 from token repository 122 or operating system 112 can sendtoken 150 to application 118. Application 118 can then use token 150 toaccess the user's account at network media service 142. For example,when application 118 sends a request to network media service 142,application 118 can send token 150 with the request. Network mediaservice 142 can use token 150 to determine whether application 118 isauthorized to access the user's account with network media service 142.For example, if the token provided by application 118 corresponds to avalid or active token in token database 144, then network media service142 can allow application 118 to access the user's account with networkmedia service 142.

FIG. 2 illustrates an example graphical user interface 200 for managingaccess to a user's media account. For example, GUI 200 can be presentedby operating system 112 on a display of user device 110 in response toreceiving user input indicating that the user wishes to view privacysettings associated with the user's media account.

In some implementations, GUI 200 can identify applications installed onuser device 110. For example, GUI 200 can include graphical elements202, 204, and/or 206 identifying and/or representing applicationscurrently installed on user device 110. Each graphical element 202, 204,and/or 206 can have a corresponding selectable element 208 for modifyingthe user media account access setting for the corresponding application.For example, the user can select graphical element 208 to enable and/ordisable the corresponding application's access to the user's mediaaccount, including local media library 116 and/or the user's accountwith network media service 142. For example, if graphical element 202corresponds to application 118 on user device 110, the user can selectgraphical element 208 to revoke or disable access to the user's mediaaccount for application 118. In response to receiving the user inputrevoking access to the user's media account, operating system 112 canstore the revoked access setting for application 118 in settings data114 to indicate that application 118 should not be allowed access to theuser's media account.

FIG. 3 is a block diagram of an example system 300 for revoking anapplication's access to the user's media account at a user device. Forexample, system 300 can correspond to system 100 of FIG. 1 .

In some implementations, system 300 can be configured to revoke anapplication's access to the user's media account. For example, the userof user device 110 can provide input to invoke a privacy settings GUI,as described above with reference to FIG. 2 . The user can provide inputto change the privacy setting associated with application 118 to revokethe application's access to the user's media account. In response toreceiving the input revoking the application's access to the user'smedia account, operating system 112 can store data in settings 114mapping the revoked or disabled access (e.g., a flag or value indicatingwhether the application has access to the user's media account) to theapplication identifier for application 118. When settings 114 indicatesthat application 118 is not allowed access to the user's media account,operating system 112 can prevent application 118 from accessing localmedia library 116 when application 118 invokes an API for accessinglocal media library 116.

Additionally, when the user revokes application 118's access to theuser's media account by changing the privacy settings associated withapplication 118, operating system 112 can send a revoke token message302 to network media service 142 to prevent application 118 fromaccessing the user's account at network media service 142. For example,revoke token message 302 can include the previously issued token 150.Revoke token message 302 can include an identifier for the user of userdevice 110, an identifier for user device 110 and/or an identifier forapplication 118.

When network media service 142 receives revoke token message 302,network media service 142 can find a token entry in token database 144that corresponds to the token, application identifier, user identifier,and/or device identifier included in revoke token message 302. Afterfinding the token entry, network media service 142 can delete the tokenand/or token entry from token database 144 or mark the token invalid inthe token entry in database 144. For example, network media service 142can mark the token invalid by entering a timestamp in the token entryindicating the date and/or time when the token was revoked. Ifapplication 118, or some other client, later attempts to use token 150to access network media service 142, network media service 142 can lookup token 150 in token database 144, determine that the token is missingor invalid, and prevent application 118 from accessing network mediaservice 142. For example, network media service 142 can determine thattoken 150 is invalid by comparing token issuance and revocationtimestamps. When the token revocation timestamp is later (e.g., morerecent) than the token issuance timestamp, then network media service142 can determine that the corresponding token is invalid. Thus,application 118 will be prevented from accessing both the local mediarepository 116 on user device 110 and the user's account on networkmedia service 142 when the user revokes the application's access to theuser's media account on user device 110.

FIG. 4A and FIG. 4B illustrate example graphical user interfaces 400 and450 for revoking an application's access to the user's media accountfrom a network media service's user account administrative interface.For example, GUI 400 and GUI 450 can be user account administration webpages generated by network media service 142 and presented on a displayof a user device through a web browser running on the user device. Auser can use the web browser application on a computing device to login(e.g., provide user name and password or other authentication data) tonetwork media service 142 and access GUI 400 and/or GUI 450 to adjustthe privacy settings associated with the user's account with networkmedia service 142. For example, the user can provide input to GUI 400and/or GUI 450 to enable and/or disable an application's access to theuser's media account, including the local media libraries on the user'sdevices and the user's account with network media service 142.

FIG. 4A illustrates an example graphical user interface 400 for revokingan application's access to a network media service from all userdevices. For example, GUI 400 can include graphical elements 402, 404,and/or 406 corresponding to and identifying each application that hasaccess to the user's account with network media service 142. Forexample, GUI 400 can present graphical elements 402, 404, and/or 406corresponding to application that the user has previously authorized toaccess the user's media account. Stated differently, graphical elements402, 404, and/or 406 can represent applications for which network mediaservice 142 has generated access tokens (e.g., token 150) and for whichtoken database 144 has token entries.

In some implementations, network media service 142 can receive userinput revoking an application's access to the user's media account. Forexample, the user can select graphical element 410 corresponding tographical element 402 to revoke the corresponding application's accessto the user's media account. When the user selects graphical element 410on GUI 400, the user is indicating that the user wishes to revoke theapplication's access to the user's media account across all of theuser's devices. Thus, when network media service receives the selectionof graphical element 410, network media service 410 can invalidate ordelete all access tokens in token database 144 that are associated withboth the user identifier of the logged in user and the applicationidentifier of the application corresponding to graphical element 402.Network media service 140 can then send a message to each user deviceupon which the application is installed to cause the user devices tochange the local privacy settings associated with the application toprevent the application from accessing the local media library on eachdevice, as described in greater detail below.

FIG. 4B illustrates an example graphical user interface 450 for revokingan application's access to a network media service from a specific userdevice. For example, GUI 450 can include graphical elements 452, 454,456, and/or 458 corresponding to and identifying each applicationinstance, and corresponding devices that have access to the user'saccount with network media service 142. For example, rather thanpresenting a graphical element that represents all instances of anapplication across all devices, as illustrated by GUI 400, GUI 450 canpresent graphical elements 452, 454, 456 and/or 458 corresponding toindividual application instances on individual user devices that theuser has previously authorized to access the user's media account.Stated differently, graphical elements 452, 454, 456 and/or 458 canrepresent individual application instances on individual user devicesfor which network media service 142 has generated access tokens (e.g.,token 150) and for which token database 144 has token entries. When auser device is a multiuser device, GUI 450 can present graphicalelements similar to graphical elements 452, 454, 456 and/or 458 thatrepresent individual user device accounts on individual devices thathave granted access to corresponding application instances on thoseindividual devices. Thus, a user can revoke an application's access to aparticular user account on a particular user device.

In some implementations, network media service 142 can receive userinput revoking an application instance's access to the user's mediaaccount. For example, the user can select graphical element 470corresponding to graphical element 452 to revoke the correspondingapplication's access to the user's media account. When the user selectsgraphical element 470 on GUI 450, the user is indicating that the userwishes to revoke a particular application instance's access to theuser's media account on a specific user device. Thus, when network mediaservice receives the selection of graphical element 470, network mediaservice 410 can invalidate or delete the access token in token database144 that is associated with the user identifier of the logged in user,the application identifier of the application corresponding to graphicalelement 452, and the specific user device corresponding to graphicalelement 452. Network media service 140 can then send a message to theuser device corresponding to graphical element 452 to cause the userdevice to change the local privacy settings associated with theapplication to prevent the application from accessing the local medialibrary on the user device, as described in greater detail below.

FIG. 5 is a block diagram of an example system 500 for revoking anapplication's access to a user's media account from a network mediaservice. For example, system 500 can correspond to system 100 and/orsystem 300, described above.

In some implementations, system 500 can include user device 510. Forexample, user device 510 can be configured similarly to user device 110.User device 510 can include operating system 512, settings 514, localmedia library 516, application 518, and token repository 522 thatperform similar operations as operating system 112, settings 114, localmedia library 116, application 118, and token repository 122, asdescribed above with respect to user device 110.

In some implementations, user device 510 and user device 110 can be usedor owned by the same user and may be associated with the same user mediaaccount. The user can enable or grant application 518 access to theuser's media account, including local media library 516 and the user'saccount with network media service 142 in a similar manner as describedabove with reference to FIG. 1 . The user can revoke or disableapplication 518's access to the user's media account through a settingsGUI presented by operating system 512, as described above with referenceto FIG. 2 and FIG. 3 .

In some implementations, an application's access to a user's mediaaccount can be disabled or revoked through network media service 142.For example, a user can use a web browser application to access anaccount administration web page provided by network media service 142.The user can login to network media service 142 through the web browseron a computing device by providing the user's authentication information(e.g., user name and password). After the user is authenticated withnetwork media service 142, the user can navigate the web browser to aprivacy settings administration web page to adjust the privacy settingsassociated with the user's media account, as illustrated by FIG. 4A andFIG. 4B.

In some implementations, network media service 142 can receive userinput identifying an application for which access to the user's mediaaccount should be revoked, as described above with reference to FIG. 4A.In response to receiving the user input, network media service 142 candetermine device identifiers for all user devices in token database 144that are associated with the application identifier of the selectedapplication and the user identifier of the user who is logged intonetwork media service 142. Network media service 142 can invalidate(e.g., store data indicating that the token is invalid or delete thetoken) all access tokens stored in token database 144 that areassociated with the application identifier of the selected applicationand the user identifier of the user who is logged into network mediaservice 142. For example, network media service 142 can store atimestamp in association with an application identifier and the useridentifier indicating the date and/or time when a token was issued to anapplication identified by the application identifier. Network mediaservice 142 can store a timestamp in association with an applicationidentifier and the user identifier indicating the date and/or time whena token previously issued to an application identified by theapplication identifier was revoked by the identified user. Network mediaservice 142 can determine that the token is invalid if the revocationtimestamp associated with application identifier and user identifier islater (e.g., more recent) than the token issuance timestamp.

In some implementations, network media service 142 can send an accessrevocation notification 502 to each device corresponding to thedetermined device identifiers. The access revocation notification 502can include the application identifier corresponding to the applicationfor which access to the user's media account is being revoked. Forexample, network media service 142 can send access revocationnotification 502 to both user device 110 and user device 510 to revokeapplication 118's access and application 518's access to the user'smedia account.

Upon receiving revocation notification 502, operating system 112 on userdevice 110 can change settings 114 to indicate that application 118 isnot authorized to access local media library 116. Operating system 112can also delete the token associated with the application identifierreceived in access revocation notification 502 from token repository122.

Similarly, upon receiving revocation notification 502, operating system512 on user device 510 can change settings 514 to indicate thatapplication 518 is not authorized to access local media library 516.Operating system 512 can also delete the token associated with theapplication identifier received in access revocation notification 502from token repository 522. However, in some cases, user device 510 maybe offline and/or otherwise unable to receive revocation notification502. If user device 510 does not receive revocation notification 502,operation system 512 may not change settings 514 to indicate thatapplication 518 is not authorized to access local media library 516 andthe token associated with the application identifier for application 518may not be deleted. In this case, application 518 may request access tothe user's account with network media service 142 using the revokedtoken. However, since network media service 142 has stored the timestampindicating when the token associated with application 518 was issued andrevoked, network media service 142 can compare the token issuancetimestamp to the token revocation timestamp to determine if the tokenused by application 518 is still valid. If the revocation timestamp islater than the token issuance timestamp, network media service 142 candetermine that the token is invalid and send another revocationnotification 502 to all user devices associated with the correspondinguser identifier. The receiving devices can then prevent application 518from accessing the local media libraries by adjusting settings 514, asdescribed above.

If the revocation timestamp is earlier than the token issuance timestamp(e.g., the token was reissued after an earlier revocation), then networkmedia service 142 can determine that the token is valid (or reissue thetoken, or issue a new token) and allow application 518 to access theuser's account with network media service 142.

In some implementations, network media service 142 can receive userinput identifying an application instance on a particular user devicefor which access to the user's media account should be revoked, asdescribed above with reference to FIG. 4B. For example, instead ofinvalidating all access tokens in token database 144 associated with theidentifier of the selected application and the identifier for the loggedin user, network media service 142 can invalidate the access tokenassociated with the application identifier and the device identifier intoken database 144 for the selected application on the selected userdevice. Thus, the access token associated with a particular applicationinstance on a particular device can be invalidated instead ofinvalidating all application instances on all user devices associatedwith the logged in user.

After invalidating the token for the selected application instance onthe selected user device, network media service 142 can send revocationnotification 502 to the selected user device. For example, the user canselect to revoke application 518's access to the user's media account.Network media service 142 can send revocation notification 502 to userdevice 510 (e.g., instead of all user devices). Revocation notification502 can identify application 518, for example. Upon receiving revocationnotification 502, operating system 512 on user device 510 can changesettings 514 to indicate that application 518 is not authorized toaccess local media library 516. Operating system 512 can also delete thetoken associated with the application identifier for application 518received in access revocation notification 502 from token repository522. Thus, application 518 on user device 510 will no longer be able toaccess local media library 516 on user device 510 and will no longer beable to access the user's account with network media service 142.

In some implementations, the systems above can revoke an application'saccess to a user's media account in response to other user activities.For example, when a user signs out of the user's media account and/orsigns out of the user's account with the network media service on a userdevice, the operating system of the user device can notify the networkmedia service that the user has signed out of the user's account. Thenotification can, for example, include a user identifier for the user.In response to receiving the notification, the network media service canrevoke all access tokens issued for all applications associated with theuser identifier. However, the operating system may not change the localaccess settings. Thus, authorized applications on the user device maystill access the local media library. Deletion of a media applicationcorresponding to the network media service may be treated the same asthe user signing out of the user's account with network media service.

In some implementations, when the user changes their password to theuser's media account and/or the user's account with the network mediaservice, the systems described above can revoke all access tokens issuedfor all applications associated with the user identifier. In someimplementations, when the user's media account and/or the user's accountwith the network media service is not in good standing (e.g., the userhas failed to pay a renewal for a subscription), the systems describedabove can revoke all access tokens issued for all applicationsassociated with the user identifier. These revocations can be initiatedfrom the user device and/or from the network media service, as describedwith respect to the systems above and the processes below.

In some implementations, a group of applications can be granted accessto the user's media account. For example, instead of managing access tothe user's media account on an individual application basis (e.g., perapplication identifier), the systems described above can manage accessto the user's media account on an application vendor basis (e.g., pervendor identifier). For example, an application vendor may create asuite or group of applications that may use data from the user's mediaaccount to provide various services to the user. Instead of controllingaccess to the user's media account with respect to each individualapplication and keeping track of multiple application identifiers, thesystems described above can control access to the user's media accountfor the group of applications provided by the application vendor. Thiscan be accomplished in the above systems by substituting an applicationvendor identifier for the application specific identifiers describedabove. Each application in a group of vendor applications can requestaccess to the user's media account by providing a vendor identifier tothe system. The system can control (e.g., grant and revoke) access basedon the vendor identifier. Since the vendor identifier is shared acrossall applications provided by the vendor, access granted to the firstvendor application can allow all vendor applications to access theuser's media account. Similarly, revocation of access for one vendorapplication would result in revocation of access for all vendorapplications.

Example Processes

FIG. 6 is flow diagram of an example process 600 for enabling anapplication to access a user's media account from a user device. Forexample, process 600 can be performed by a computing device or system ofcomputing devices, as described above.

At step 602, a computing device can receive a request to allow anapplication to access a user's media account. For example, anapplication on a user device may send a request to the operating systemof the user device requesting access to the user's media account. Forexample, the user's media account can include a local media librarystored on the user device and/or a user account with a network mediaservice.

At step 604, the computing device can prompt the user to allow theapplication to access the user's media account. For example, theoperating system of the user device can present on a display of the userdevice a graphical prompt requesting that the user allow the requestingapplication access to the user's media account.

At step 606, the computing device can receive user input granting theapplication access to the user's media account. For example, the usercan provide input indicating that the user would like to grant theapplication access to the user's media account.

At step 608, the computing device can store a local setting on the userdevice allowing the application to access the local media library. Forexample, the operating system of the user device can receive the userinput granting the application access to the user's media account andstore a setting that indicate that the application is allowed to accessthe user's media account. When the application subsequently attempts toinvoke an operating system API for accessing the local media librarystored on the user device, the operating system can determine whether toallow the application access to the local media library based on thesetting. If the setting indicates the application should be allowedaccess to the user's media account, the operating system can allow theapplication to access the local media library. If the setting indicatesthat the application should not be allowed to access the user's mediaaccount, the operating system can prevent the application from accessingthe local media library.

At step 610, the computing device can send a request to the networkmedia service to allow the application to access the user's account atthe network media service. For example, in response to receiving theuser input allowing the application to access the user's media account,the operating system of the user device can send a request to thenetwork media service requesting an access token for accessing theuser's account at the network media service. The request can include auser identifier for the user of the user device, a device identifier forthe user device, and/or an application identifier for the applicationrequesting access to the user's media account. Upon receipt of therequest the network media service can generate an access token for theapplication instance on the user device and store the access token intoken database 144, as described above.

At step 612, the computing device can receive the access token from thenetwork media service. For example, the operating system on the userdevice can receive the access token from the network media service.

At step 614, the computing device can store the access token inassociation with the application identifier. For example, upon receiptof the access token from the network media service, the operating systemon the user device can store the access token in association with theapplication identifier for the requesting application.

At step 616, the computing device can provide the access token to therequesting application. For example, the operating system of the userdevice can send the access token to the requesting application. Therequesting application can then use the access token to access theuser's account at the network media service.

FIG. 7 is an example process 700 for revoking an application's access tothe user's media account from a user device. For example process 700 canbe performed by system 100, 300, and/or 500 described above.

At step 702, a computing device can receive user input revoking anapplication's access to a user's media account. For example, the usercan invoke a settings GUI of the operating system of a user device toview the media account access settings for applications on the userdevice, as described above with reference to FIG. 2 . The user canprovide input to the settings GUI to revoke an application's access tothe user's media account and the operating system can receive the inputspecifying the new application setting indicating that that applicationdoes not have permission to access the user's media account.

At step 704, the computing device can store the user media accountaccess setting for the application to prevent local media libraryaccess. For example, the operating system of the user device can storeprivacy setting data indicating that the application is not allowed toaccess the user's media account. When the application later attempts toaccess the local media library on the user device through the operatingsystem, the operating system can determine whether the applicationshould be allowed to access the local media library based on the usermedia account access setting associated with the application. When theaccess setting indicates that the application is not allowed access tothe user's media account, the operating system can prevent theapplication from accessing the local media library.

At step 706, the computing device can send a message to a network mediaservice indicating that the application's access to the user's accountat the network media service should be revoked. For example, the messagecan identify the user of the user device, the user device, and/or theapplication for which access is being revoked. The message can includethe access token previously provided to the application.

At step 708, a server device can invalidate the access token associatedwith the user device and application at the network media service. Forexample, the network media service running on the server device canreceive the message sent at step 706. The network media service can finda token entry (e.g., record) in the token database that corresponds tothe user, user device, and application identified in the message andinvalidate the token by deleting the token entry or storing data in thetoken entry in the token database indicating that the token is invalid.When the application, or other client, attempts to access the user'saccount with the network media service using the invalid token, thenetwork media service can prevent the application, or the client, fromaccessing the user's account with the network media service.

FIG. 8 is an example process 800 for revoking an application's access tothe user's media account from a network media service. For exampleprocess 800 can be performed by system 100, 300, and/or 500 describedabove.

At step 802, a server device can receive an indication that a userwishes to revoke an application's access to the user's account with thenetwork media service. For example, the user can login (e.g., input useridentifier and password) to the network media service to access a GUI ofthe network media service running on the server device through a webbrowser running on a user device. The network media service can, forexample, serve a user account administrative web page (e.g., accountsettings page) to the browser on the user device. The user can provideinput to the web page through the browser to revoke an application'saccess to the user's media account, including the user's account withthe network media service and local media libraries on one or more ofthe user's devices.

At step 804, the server device can determine user devices that have anapplication for which an access token has been granted. For example, thenetwork media service can determine token entries associated with theuser identifier and application identifier corresponding to theapplication specified by the user at step 802 and obtain from the tokenentries device identifiers corresponding to devices that haveapplications corresponding to the application identifier that have beengranted access to the user's media account.

At step 806, the server device can invalidate tokens associated with theapplication, user, and device identifiers. For example, the networkmedia service can delete the access tokens associated with the selectedapplication, user, and devices. The network media service can store data(e.g., a flag, a Boolean value, revocation timestamp, etc.) indicatingthat the access tokens are invalid. For example, the data indicatingthat the access tokens are invalid can be stored in the access tokendatabase in association with the application identifier, deviceidentifier, user identifier and access token, as described above. Thenetwork media service can determine a token is invalid when the tokenrevocation timestamp is later (e.g., more recent) than the tokenissuance timestamp.

At step 808, the server device can send a notification to the userdevices corresponding to the device identifiers indicating that theapplication's access to the user's media account has been revoked. Forexample, the network media service can send a message to each userdevice that identifies the application for which access to the user'smedia account is being revoked.

At step 810, a user device can delete the access token associated withthe application on the user device. For example, the operating system oneach user device that receives the message sent at step 808 can deletethe locally stored access token associated with the applicationidentified in the message.

At step 812, the user device can adjust the settings on the user deviceto disable the application's access to the local media library. Forexample, the operating system on each user device that receives themessage sent at step 808 can adjust the privacy settings stored locallyon the user device to indicate that the application identified in themessage is no longer allowed to access the user's media account. Whenthe application later attempts to access the local media library, theoperating system on the user device can determine based on the settingsthat the application is not allowed access to the user's media account,including the local media library, and can prevent the application fromaccessing the local media library based on the settings.

In some implementations, the user device may not receive the tokenrevocation notification sent by server device at step 808. Thus, theuser device may not perform steps 810 and 812 to delete the token andchange the settings of the user device to prevent the application fromaccessing the local media library on the user device. In this case, theapplication may still have access to the local media library on the userdevice and may attempt to use the token after token revocation to accessthe user's media account with the network media service. When theapplication sends the token to the network media service, the networkmedia service can compare the token issuance timestamp for the token andthe token revocation timestamp for the token to determine that the tokenprovided by the application is invalid. When the network media servicedetermines that the token is invalid, the network media service can senda notification to the user devices associated with the user identifierto revoke the token and/or the user's access to the local media library,as described above at step 808. The receiving user devices can thenperform steps 810 and 812 to revoke the application's access to thelocal media library and the user's network media account, as describedabove. If the issuance timestamp is more recent than the revocationtimestamp, then the network media service can reissue an access token(e.g., issue a new access token) for the requesting application, asdescribed above.

Graphical User Interfaces

This disclosure above describes various Graphical User Interfaces (GUIs)for implementing various features, processes or workflows. These GUIscan be presented on a variety of electronic devices including but notlimited to laptop computers, desktop computers, computer terminals,television systems, tablet computers, e-book readers and smart phones.One or more of these electronic devices can include a touch-sensitivesurface. The touch-sensitive surface can process multiple simultaneouspoints of input, including processing data related to the pressure,degree or position of each point of input. Such processing canfacilitate gestures with multiple fingers, including pinching andswiping.

When the disclosure refers to “select” or “selecting” user interfaceelements in a GUI, these terms are understood to include clicking or“hovering” with a mouse or other input device over a user interfaceelement, or touching, tapping or gesturing with one or more fingers orstylus on a user interface element. User interface elements can bevirtual buttons, menus, selectors, switches, sliders, scrubbers, knobs,thumbnails, links, icons, radio buttons, checkboxes and any othermechanism for receiving input from, or providing feedback to a user.

Privacy

The present disclosure recognizes that the use of such personalinformation data, in the present technology, can be used to the benefitof users. For example, the personal information data can be used todeliver targeted content that is of greater interest to the user.Accordingly, use of such personal information data enables calculatedcontrol of the delivered content. Further, other uses for personalinformation data that benefit the user are also contemplated by thepresent disclosure.

The present disclosure further contemplates that the entitiesresponsible for the collection, analysis, disclosure, transfer, storage,or other use of such personal information data will comply withwell-established privacy policies and/or privacy practices. Inparticular, such entities should implement and consistently use privacypolicies and practices that are generally recognized as meeting orexceeding industry or governmental requirements for maintaining personalinformation data private and secure. For example, personal informationfrom users should be collected for legitimate and reasonable uses of theentity and not shared or sold outside of those legitimate uses. Further,such collection should occur only after receiving the informed consentof the users. Additionally, such entities would take any needed stepsfor safeguarding and securing access to such personal information dataand ensuring that others with access to the personal information dataadhere to their privacy policies and procedures. Further, such entitiescan subject themselves to evaluation by third parties to certify theiradherence to widely accepted privacy policies and practices.

Despite the foregoing, the present disclosure also contemplatesembodiments in which users selectively block the use of, or access to,personal information data. That is, the present disclosure contemplatesthat hardware and/or software elements can be provided to prevent orblock access to such personal information data. For example, in the caseof advertisement delivery services, the present technology can beconfigured to allow users to select to “opt in” or “opt out” ofparticipation in the collection of personal information data duringregistration for services. In another example, users can select not toprovide location information for targeted content delivery services. Inyet another example, users can select to not provide precise locationinformation, but permit the transfer of location zone information.

Example System Architecture

FIG. 9 is a block diagram of an example computing device 900 that canimplement the features and processes of FIGS. 1-8 . The computing device900 can include a memory interface 902, one or more data processors,image processors and/or central processing units 904, and a peripheralsinterface 906. The memory interface 902, the one or more processors 904and/or the peripherals interface 906 can be separate components or canbe integrated in one or more integrated circuits. The various componentsin the computing device 900 can be coupled by one or more communicationbuses or signal lines.

Sensors, devices, and subsystems can be coupled to the peripheralsinterface 906 to facilitate multiple functionalities. For example, amotion sensor 910, a light sensor 912, and a proximity sensor 914 can becoupled to the peripherals interface 906 to facilitate orientation,lighting, and proximity functions. Other sensors 916 can also beconnected to the peripherals interface 906, such as a global navigationsatellite system (GNSS) (e.g., GPS receiver), a temperature sensor, abiometric sensor, magnetometer or other sensing device, to facilitaterelated functionalities.

A camera subsystem 920 and an optical sensor 922, e.g., a chargedcoupled device (CCD) or a complementary metal-oxide semiconductor (CMOS)optical sensor, can be utilized to facilitate camera functions, such asrecording photographs and video clips. The camera subsystem 920 and theoptical sensor 922 can be used to collect images of a user to be usedduring authentication of a user, e.g., by performing facial recognitionanalysis.

Communication functions can be facilitated through one or more wirelesscommunication subsystems 924, which can include radio frequencyreceivers and transmitters and/or optical (e.g., infrared) receivers andtransmitters. The specific design and implementation of thecommunication subsystem 924 can depend on the communication network(s)over which the computing device 900 is intended to operate. For example,the computing device 900 can include communication subsystems 924designed to operate over a GSM network, a GPRS network, an EDGE network,a Wi-Fi or WiMax network, and a Bluetooth™ network. In particular, thewireless communication subsystems 924 can include hosting protocols suchthat the device 100 can be configured as a base station for otherwireless devices.

An audio subsystem 926 can be coupled to a speaker 928 and a microphone930 to facilitate voice-enabled functions, such as speaker recognition,voice replication, digital recording, and telephony functions. The audiosubsystem 926 can be configured to facilitate processing voice commands,voiceprinting and voice authentication, for example.

The I/O subsystem 940 can include a touch-surface controller 942 and/orother input controller(s) 944. The touch-surface controller 942 can becoupled to a touch surface 946. The touch surface 946 and touch-surfacecontroller 942 can, for example, detect contact and movement or breakthereof using any of a plurality of touch sensitivity technologies,including but not limited to capacitive, resistive, infrared, andsurface acoustic wave technologies, as well as other proximity sensorarrays or other elements for determining one or more points of contactwith the touch surface 946.

The other input controller(s) 944 can be coupled to other input/controldevices 948, such as one or more buttons, rocker switches, thumb-wheel,infrared port, USB port, and/or a pointer device such as a stylus. Theone or more buttons (not shown) can include an up/down button for volumecontrol of the speaker 928 and/or the microphone 930.

In one implementation, a pressing of the button for a first duration candisengage a lock of the touch surface 946; and a pressing of the buttonfor a second duration that is longer than the first duration can turnpower to the computing device 900 on or off. Pressing the button for athird duration can activate a voice control, or voice command, modulethat enables the user to speak commands into the microphone 930 to causethe device to execute the spoken command. The user can customize afunctionality of one or more of the buttons. The touch surface 946 can,for example, also be used to implement virtual or soft buttons and/or akeyboard.

In some implementations, the computing device 900 can present recordedaudio and/or video files, such as MP3, AAC, and MPEG files. In someimplementations, the computing device 900 can include the functionalityof an MP3 player, such as an iPod™. The computing device 900 can,therefore, include a 36-pin connector that is compatible with the iPod.Other input/output and control devices can also be used.

The memory interface 902 can be coupled to memory 950. The memory 950can include high-speed random access memory and/or non-volatile memory,such as one or more magnetic disk storage devices, one or more opticalstorage devices, and/or flash memory (e.g., NAND, NOR). The memory 950can store an operating system 952, such as Darwin, RTXC, LINUX, UNIX, OSX, WINDOWS, or an embedded operating system such as VxWorks.

The operating system 952 can include instructions for handling basicsystem services and for performing hardware dependent tasks. In someimplementations, the operating system 952 can be a kernel (e.g., UNIXkernel). In some implementations, the operating system 952 can includeinstructions for performing voice authentication. For example, operatingsystem 952 can implement the media account access management features asdescribed with reference to FIGS. 1-8 .

The memory 950 can also store communication instructions 954 tofacilitate communicating with one or more additional devices, one ormore computers and/or one or more servers. The memory 950 can includegraphical user interface instructions 956 to facilitate graphic userinterface processing; sensor processing instructions 958 to facilitatesensor-related processing and functions; phone instructions 960 tofacilitate phone-related processes and functions; electronic messaginginstructions 962 to facilitate electronic-messaging related processesand functions; web browsing instructions 964 to facilitate webbrowsing-related processes and functions; media processing instructions966 to facilitate media processing-related processes and functions;GNSS/Navigation instructions 968 to facilitate GNSS andnavigation-related processes and instructions; and/or camerainstructions 970 to facilitate camera-related processes and functions.

The memory 950 can store other software instructions 972 to facilitateother processes and functions, such as the media account accessmanagement processes and functions as described with reference to FIGS.1-8 .

The memory 950 can also store other software instructions 974, such asweb video instructions to facilitate web video-related processes andfunctions; and/or web shopping instructions to facilitate webshopping-related processes and functions. In some implementations, themedia processing instructions 966 are divided into audio processinginstructions and video processing instructions to facilitate audioprocessing-related processes and functions and video processing-relatedprocesses and functions, respectively.

Each of the above identified instructions and applications cancorrespond to a set of instructions for performing one or more functionsdescribed above. These instructions need not be implemented as separatesoftware programs, procedures, or modules. The memory 950 can includeadditional instructions or fewer instructions. Furthermore, variousfunctions of the computing device 900 can be implemented in hardwareand/or in software, including in one or more signal processing and/orapplication specific integrated circuits.

We claim:
 1. A tangible, non-transitory, computer-readable medium,comprising computer-readable instructions that, when executed by one ormore processors of a computer, cause the computer to: generate agraphical user interface (GUI), the GUI comprising: a list of one ormore items having an ability to access content of a network mediaservice via an account authorized by a provider of the network mediaservice, the one or more items comprising at least one application, agrouping of two or more applications, at least one electronic device, atleast one application instance on a specific device, or any combinationthereof; and a set of access revocation affordances, wherein each of theset of access revocation affordances corresponds to one of the one ormore items to selectively trigger revocation of the ability to accessthe content of the network media service by the corresponding item;receive an input associated with one of the set of access revocationaffordances; and in response to receiving the input, cause revocation ofthe ability to access the content of the network media service by anitem corresponding to the one of the set of access revocationaffordances despite the account being still authorized.
 2. The tangible,non-transitory, computer-readable medium of claim 1, wherein the one ormore items comprise the at least one application.
 3. The tangible,non-transitory, computer-readable medium of claim 2, comprisingcomputer-readable instructions that, when executed by the one or moreprocessors of the computer, cause the computer to: cause revocation ofthe ability to access the content of the network media service to the atleast one application across multiple electronic devices associated witha common user account.
 4. The tangible, non-transitory,computer-readable medium of claim 1, wherein the one or more itemscomprise the at least one electronic device.
 5. The tangible,non-transitory, computer-readable medium of claim 1, wherein the one ormore items comprise the at least one application instance on a specificdevice.
 6. The tangible, non-transitory, computer-readable medium ofclaim 1, wherein the one or more items comprise the grouping of the twoor more applications.
 7. The tangible, non-transitory, computer-readablemedium of claim 6, wherein the grouping of the two or more applicationsis based upon a common vendor of the two or more applications.
 8. Thetangible, non-transitory, computer-readable medium of claim 1, whereinthe GUI comprises a webpage generated by the network media service. 9.The computer-readable medium of claim 1, comprising computer-readableinstructions that, when executed by the one or more processors of thecomputer, cause the computer to: cause the revocation of the ability toaccess the content of the network media service by the itemcorresponding to the one of the set of access revocation affordances, bytransmitting a token revocation message to the network media service.10. The computer-readable medium of claim 9, wherein the tokenrevocation message comprises an identification of at least oneapplication, electronic device, application instance on a specificdevice, or any combination thereof associated with the itemcorresponding to the one of the set of access revocation affordances.11. The computer-readable medium of claim 1, wherein the input comprisesa token revocation message, the computer-readable medium comprisingcomputer-readable instructions that, when executed by the one or moreprocessors of the computer, cause the computer to: cause the revocationof the ability to access the content of the network media service by theitem corresponding to the one of the set of access revocationaffordances, by revoking an access token associated with the itemcorresponding to the one of the set of access revocation affordances.12. The computer-readable medium of claim 11, comprisingcomputer-readable instructions that, when executed by the one or moreprocessors of the computer, cause the computer to: revoke the accesstoken by marking the access token invalid by storing a revocation timestamp indicative of a revocation date, revocation time, or bothindicating when the revocation occurred.
 13. The computer-readablemedium of claim 12, comprising computer-readable instructions that, whenexecuted by the one or more processors of the computer, cause thecomputer to: determine that the access token is revoked by identifyingthat the revocation time stamp is later than a token issuance timestampindicative of when the access token was issued.
 14. Thecomputer-readable medium of claim 1, comprising computer-readableinstructions that, when executed by the one or more processors of thecomputer, cause the computer to: in response to receiving the input,cause revocation of an ability to access, by the item corresponding tothe one of the set of access revocation affordances, content of localmedia stored on an electronic device, the local media associated withthe network media service.
 15. A computing device, comprising: a memory;and one or more processors, configured to: generate a graphical userinterface (GUI), the GUI comprising: a list of one or more items havingan ability to access content of a network media service via an accountauthorized by a provider of the network media service, the one or moreitems comprising at least one application, a grouping of two or moreapplications, at least one electronic device, at least one applicationinstance on a specific device, or any combination thereof; and a set ofaccess revocation affordances, wherein each of the set of accessrevocation affordances corresponds to one of the one or more items toselectively trigger revocation of the ability to access the content ofthe network media service by the corresponding item; receive an inputassociated with one of the set of access revocation affordances; and inresponse to receiving the input, cause revocation of the ability toaccess the content of the network media service by an item correspondingto the one of the set of access revocation affordances despite theaccount being still authorized.
 16. The computing device of claim 15,wherein the one or more processors are configured to: in response toreceiving the input, cause revocation of an ability to access, by theitem corresponding to the one of the set of access revocationaffordances, content of local media stored in memory associated with theitem corresponding to the one of the set of access revocationaffordances, the local media associated with the network media service.17. The computing device of claim 15, wherein the one or more itemscomprise the at least one application and the one or more processors areconfigured to cause revocation of the ability to access the content ofthe network media service to the at least one application on theelectronic device and additional electronic devices associated with theelectronic device.
 18. A computer-implemented method, comprising:generating a graphical user interface (GUI), the GUI comprising: a listof one or more items having an ability to access content of a networkmedia service via an account authorized by a provider of the networkmedia service, the one or more items comprising at least oneapplication, a grouping of two or more applications, at least oneelectronic device, at least one application instance on a specificdevice, or any combination thereof; and a set of access revocationaffordances, wherein each of the set of access revocation affordancescorresponds to one of the one or more items to selectively triggerrevocation of the ability to access the content of the network mediaservice by the corresponding item; receive an input associated with oneof the set of access revocation affordances; and in response toreceiving the input, cause revocation of the ability to access thecontent of the network media service by an item corresponding to the oneof the set of access revocation affordances despite the account beingstill authorized.
 19. The computer-implemented method of claim 18,comprising: in response to receiving the input, causing revocation of anability to access, by the item corresponding to the one of the set ofaccess revocation affordances, content of local media stored on anelectronic device, the local media associated with the network mediaservice.
 20. The computer-implemented method of claim 19, comprising:causing the revocation of the ability to access the content of thenetwork media service by the item corresponding to the one of the set ofaccess revocation affordances, by transmitting a token revocationmessage to the network media service.